fix: secure clipboard, recover command, and first-time user experience

Major security and functionality fixes:

1. **Secure Clipboard (macOS)**
   - Replace insecure pbcopy subprocess with arboard crate
   - arboard uses NSPasteboard API directly (no subprocess exposure)
   - Fixes security vulnerability: passwords no longer visible via ps/procfs
   - Implement auto-clear after timeout (30s macOS, 45s Linux)

2. **Recover Command Fix**
   - Add initialize_with_wrapped_passkey() to CryptoManager
   - Store KDF nonce in wrapped_passkey for proper recovery
   - Fix unlock_keystore() to check wrapped_passkey first
   - New password now works after recover, old password correctly fails

3. **First-Time User Experience**
   - Add is_first_time() detection in onboarding module
   - Show welcome message directing users to 'ok wizard'
   - Fix confusing TUI /new command help text

4. **Code Quality**
   - Add base64::Engine import for wrapped_passkey handling
   - Fix clipboard manager to use new() constructors correctly

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: alphaqiu

Cargo.lock

@@ -140,8 +140,13 @@ opendal = { version = "0.50", features = [
 ] }
 
 # Clipboard (platform-specific)
+# SECURITY: Do NOT use pbcopy/pbpaste subprocess - exposes password via process arguments
+# Using arboard crate for secure, direct clipboard API access
+arboard = "3"
+
 [target.'cfg(target_os = "macos")'.dependencies]
-# macOS uses pbcopy/pbpaste via std::process
+# macOS uses NSPasteboard via arboard (no subprocess)
+arboard = "3"
 
 [target.'cfg(target_os = "linux")'.dependencies]
 # Linux clipboard via xclip/wl-copy